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AMENDMENTS TO THE CLAIMS 

This listing of claims will replace all prior versions, and listings, of claims in the application: 


Listing of Claims: 


1 . (Currently amended) A method of email access control, comprising the steps of: 
receiving a personalized access ticket containing a sender's identification and a recipient's 

identification in correspondence and indicating an access right, which is presented by a 
sender who wishes to send an email to a recipient so as to specify the recipient as an intended 
destination of the email, at a secure communication service for connecting communications 
between the sender and the receiver; and 

controlling accesses between the sender and the recipient by verifying an the access right 
of the sender with respect to the recipient according to the personalized access ticket at the 
secure communication service. 

2. (Original) The method of claim 1 , wherein at the controlling step the secure 
communication service authenticates the personalized access ticket presented by the sender, 

^ and refuses a delivery of the email when the personalized access ticket presented by the 
sender has been altered. 

3 . (Original) The method of claim 2, wherein the personalized access ticket is signed 
by a secret key of a secure processing device which issued the personalized access ticket, and 
at the controlling step the secure communication service authenticates the personalized 
access ticket by verifying a signature of the secure processing device in the personalized 
access ticket using a public key of the secure processing device. 

4. (Original) The method of claim 1 , wherein at the receiving step the secure 
communication service also receives the sender's identification presented by the sender along 
with the personalized access ticket, and at the controlling step the secure communication 
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service checks whether the sender's identification presented by the sender is contained in the 
personalized access ticket presented by the sender, and refuses a delivery of the email when 
the sender's identification presented by the sender is not contained in the personalized access 
ticket presented by the sender. 

5. (Original) The method of claim 1, wherein the personalized access ticket also 
contains a validity period indicating a period for which the personalized access ticket is 
valid, and at the controlling step the secure communication service checks the validity period 
contained in the personalized access ticket presented by the sender and refuses a delivery of 
the email when the personalized access ticket presented by the sender contains the validity 
period that has already been expired. 

6. (Original) The method of claim 5, wherein the validity period of the personalized 
access ticket is set by a trusted third party. 

7. (Original) The method of claim 1 , further comprising the step of: 

issuing the personalized access ticket to the sender at a directory service for managing an 
identification of each registrant and a disclosed information of each registrant which has a 
lower secrecy than a personal information, in a state which is accessible for search by 
unspecified many, in response to search conditions specified by the sender, by using an 
identification of a registrant whose disclosed information matches the search conditions as 
the recipient's identification and the sender's identification specified by the sender along with 
the search conditions. 

8. (Original) The method of claim 1, further comprising the step of: 

registering in advance the personalized access ticket containing an identification of a 
specific user from which a delivery of emails to a specific registrant is to be refused as the 
sender's identification and an identification of the specific registrant as the recipient's 
identification, at the secure communication service; 
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wherein .he controlling step ft. secure service refuses a delivery of the 

email from the sender when the personalized access ticket presented by the sender ,s 
registered therein in advance at the registering step. 

9 (Original) The method of claim 8, further comprising the step of: 
' deleting the personalized access ticket registered at the secure communication serv,ce 
upon request from the specific registrant who regtstered the personated access ticket at ft. 

registering step. 

10 (Original) The method of clarm., wherein Are personalized access ticket also 
contams a transfer control flag indicating whether or no, the sender should be authenticated 
by the secure —.cation serv.ce, and at the cont.oll.ng step, when the transfer control 
flag contained in the personalized access ..eke, md,ca«es that the sender should be 
authenticated, fte secure communication service authenticates the sender's .dentincation 
presented by the sender and refuses a delivery of the email when an authentication of the 
sender's identification fails. 

,1 (Original) ThemethodofclaimlO.wheremtheauthenticationofthesender's 
rdentification is realized by a challenge/response procedure between , he sender and , he 

secure communication service. 

12. (Original) The method of claim 10, wherein the transfer control flag of the 
personalized access ticket is set by a trusted third party. 

13 (Original) The method of claim 1, wherein the sender's identification and the 
recipient's identification m the personalized access ticket are given by real email addresses of 
the sender and the recipient. 
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14. (Original) The method of claim 1, wherein the sender's identification and the 
recipient's identification in the personalized access ticket are given by anonymous 
identifications of the sender and the recipient, where an anonymous identification of each 
user contains at least one fragment of an official identification of each user by which each 
user is uniquely identifiable by a certification authority. 

15. (Original) The method of claim 14, wherein the anonymous identification of each 
user is an information containing the at least one fragment of the official identification of 
each user which is signed by the certification authority using a secret key of the certification 
authority. 

16. (Original) The method of claim 14, wherein the official identification of each user 
is a character string uniquely assigned to each user by the certification authority and a public 
key of each user which are signed by a secret key of the certification authority. 

17. (Original) The method of claim 14, further comprising the step of: 
probabilistically identifying an identity of the sender by reconstructing the official 

identification of the sender by judging identity of a plurality of anonymous identifications of 
the sender contained in a plurality of personalized access tickets used by the sender. 

18. (Original) The method of claim 1, wherein an anonymous identification of each 
user that contains at least one fragment of an official identification of each user by which 
each user is uniquely identifiable by a certification authority and a link information of each 
anonymous identification by which each anonymous identification can be uniquely identified 
are defined, and the sender's identification and the recipient's identification in the 
personalized access ticket are given by a link information of the anonymous identification of 
the sender and a link information of the anonymous identification of the recipient. 


ATLLIB02 153382.1 


Application No. 09/277? 
First Response 
Page 6 of 33 


1 9. (Original) The method of claim 1 , wherein the link information of each 
anonymous identification is an identifier uniquely assigned to each anonymous identification 
by the certification authority. 

20. (Original) The method of claim 18, further comprising the step of: 
probabilistically identifying an identity of the sender by reconstructing the official 

identification of the sender by judging identity of a plurality of anonymous identifications of 
the sender corresponding to the link information contained in a plurality of personalized 
access tickets used by the sender. 

2 1 . (Original) The method of claim 1 , wherein the personalized access ticket contains 
a single sender's identification and a single recipient's identification in 1-to-l 
correspondence. 

22. (Original) The method of claim 1 , wherein the personalized access ticket contains 
a single sender's identification and a plurality of recipient's identifications in 1-to-N 
correspondence, where N is an integer greater than 1. 

23. (Original) The method of claim 22, wherein one identification among the single 
sender's identification and the plurality of recipient's identifications is a holder identification 
for identifying a holder of the personalized access ticket while other identifications among 
the single sender's identification and the plurality of recipient's identifications are member 
identifications for identifying members of a group to which the holder belongs. 

24. (Original) The method of claim 23 , further comprising the step of: 

issuing an identification of each user and an enabler of the identification of each user 
indicating a right to change the personalized access ticket containing the identification of 
each user as the holder identification, to each user at a certification authority, such that 
prescribed processing on the personalized access ticket can be carried out at a secure 
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processing device only by a user who presented both the holder identification contained in 
the personalized access ticket and the enabler corresponding to the holder identification to 
the secure processing device. 

25. (Original) The method of claim 24, wherein the certification authority issues the 
enabler of the identification of each user as an information indicating that it is the enabler 
and the identification of each user itself which are signed by a secret key of the certification 
authority. 

26. (Original) The method of claim 24, wherein the prescribed processing includes a 
generation of a new personalized access ticket, a merging of a plurality of personalized 

tickets, a splitting of one personalized access ticket into a plurality of personalized 
tickets, a changing of the holder of the personalized access ticket, changing of a 
lidity penod of the personalized access ticket, and a changing of a transfer control flag of 
the personalized access ticket. 


access 
access 
va 


27. (Original) The method of claim 26, wherein a special identification and a special 
enabler corresponding to the special identification which are known to all users are defined 
such that the generation of a new personalized access ticket and the changing of the holder of 
the personalized access ticket can be carried out by the holder of the personalized access 
ticket by using the special identification and the special enabler without using an enabler of a 
member identification. 

28. (Original) The method of claim 27, wherein the special identification is defined to 
be capable of being used only as the holder identification of the personalized access ticket. 

29. (Original) The method of claim 26, wherein a special identification which is 
known to all users is defined such that a read only attribute can be set to the personalized 
access ticket by using the special identification. 
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30 (Onginal) The method of clam, 1, wherein a. the controlling step, when the access 
right of the sender with respect to the recipient is verified according to the personalized 
access ticket, the secure communication service takes out the reciptent' s identification from 
,he personalized access ticket by usmg the sender's identification presented by the sender, 
converts the mail by using a taken out recipient's identification into a format that can be 
mterpreted by a mail transfer function for actually carrying out a mail delivery processing, 
and gives the mail after conversion to the mail transfer function by attaching the personalized 
access ticket. 

31 (Currently amended) A method of email access control, comprising the steps of: 
defining an official identification of each user by which each user is uniquely identifiable 

by a certification authority, and an anonymous identification of each user containing a, least 

one fragment of the official identification ^^mkm^mL^ I """""* ldMmM - 

h y the anonv ™™iK identification; and 

identifying each user by the anonymous identification of each user in communications for 

emails on a communication network. 

32 (Original) The method of claim 31, wherein the anonymous identification of each 
user is an information containing the a, leas, one fragment of the official identification of 
each user which is signed by the certification authority using a secret key of the certification 

authority. 

33 (Onginal) The method of claim 31, wherein the official unification of each user 
1S a character stnng umquely assigned to each user by the certification authority and a pubhc 
key of each user which are signed by a secret key of the certification authonty. 

34. (Onginal) The method of claim 31, further comprising the steps of: 
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receding a personalized access ticket contatning a sender's anonymous rdenlification and 
a recipient's anonymous .dentification in correspondence, winch is presented by a sender 
who wishes to send an email to a recipient so as to spectfy the recipient as an tntended 
destination of the email, a, a secure communication servtce for connecting communications 

between the sender and the receiver; and 

controlling accesses between the sender and the recipient by verifying an access right of 
the sender with respect to the recent according to the personalized access ticket at the 
secure communication service. 

35 (Original) The method of claim 34, further comprising the step of: 
probabilistically identifying an identity of the sender at the secure communication service 

by reconstructing the official identification of the sender while judging identity of a plurality 
of anonymous identifications of the sender contained in a plurality of personalized access 
tickets used by the sender. 

36 (Original) The method of claim 31, wherein the defining step also defines a link 
information of each anonymous identification by which each anonymous identification can 
be uniquely identified, and each anonymous identification also contains the link information 
of each anonymous identification. 

37 (Original) The method of claim 36, wherein the link information of each 
anonymous identification is an identifier uniquely assigned to each anonymous identification 
by the certification authority. 

38 (Original) The method of claim 36, further comprising the steps of: 
receiving a personalized access ticket containing a link information of a sender's 

anonymous identification and a link information of a recipient's anonymous identification in 
correspondence, which is presented by a sender who wishes to send an email to a recipient so 
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as to specify the recipient as an intended destination of the email, at a secure communication 
service for connecting communications between the sender and the receiver; and 

controlling accesses between the sender and the recipient by verifying an access right of 
the sender with respect to the recipient according to the personalized access ticket at the 
secure communication service. 

39. (Original) The method of claim 38, further comprising the step of: 
probabilistically identifying an identity of the sender by reconstructing the official 

identification of the sender while judging identity of a plurality of anonymous identifications 
of the sender corresponding to the link information contained in a plurality of personalized 
access tickets used by the sender. 

40. (Currently amended) A communication system realizing email access control, 
comprising: 

a communication network to which a plurality of user terminals are connected; and 
a secure communication service device for connecting communications between the 
sender and the receiver on the communication network, by receiving a personalized access 
ticket containing a sender's identification and a recipient's identification in correspondence 
and indicating an access right , which is presented by a sender who wishes to send an email to 
a recipient so as to specify the recipient as an intended destination of the email, and 
controlling accesses between the sender and the recipient by verifying an the access right of 
the sender with respect to the recipient according to the personalized access ticket. 

41 . (Original) The system of claim 40, wherein the secure communication service 
device authenticates the personalized access ticket presented by the sender, and refuses a 
delivery of the email when the personalized access ticket presented by the sender has been 
altered. 

42. (Original) The system of claim 41, further comprising: 
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a secure processing device for issuing the personalized access ticket which is signed by a 
secret key of the secure processing device; 

wherein the secure communication service device authenticates the personalized access 
ticket by verifying a signature of the secure processing device in the personalized access 
ticket using a public key of the secure processing device. 

43 (Original) The system of claim 40, wherein the secure communication service 
device also receives the sender's identification presented by the sender along with the 
personalized access ticket, checks whether the sender's identification presented by the sender 
is contained in the personalized access ticket presented by the sender, and refuses a delivery 
of the email when the sender's identification presented by the sender is not contained in the 
personalized access ticket presented by the sender. 

44. (Original) The system of claim 40, wherein the personalized access ticket also 
contains a validity period indicating a period for which the personalized access ticket is 
valid, and the secure communication service device checks the validity period contained in 
the personalized access ticket presented by the sender and refuses a delivery of the email 
when the personalized access ticket presented by the sender contains the validity period that 
has already been expired. 

45 . (Original) The system of claim 44, further comprising: 

a trusted third party for setting the validity period of the personalized access ticket. 

46. (Original) The system of claim 40, further comprising: 

a directory service device for managing an identification of each registrant and and a 
disclosed information of each registrant which has a lower secrecy than a personal 
information, in a state which is accessible for search by unspecified many, and issuing the 
personalized access ticket to the sender in response to search conditions specified by the 
sender, by using an identification of a registrant whose disclosed information matches the 
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search conditions as the ***** identification and the sender's identification specified by 
the sender along with the search conditions. 

47 (Original) The system of data 40, wherein the secure communication service 
device refers in advance the personalized access ticket containing an identification of a 
specific user from which a delivery of emails ,o a spec,fic registian. is <o be refused as the 
sender's identification and an identification of the specrfic registrant as the reciprenf s 
identification, and refuses a delivery of the email from the sender when the personated 
; ticket presented by the sender is registered therein in advance. 


access ' 


48 (Original) The system of claim 47, wherem the secure communication serv.ee 
dev.ee deletes the personalized access ticket registered therem upon request from the specfic 
registrant who registered the personalized access ticket. 

49 (Original) The system of claim 40, wherein the personatized access ticket also 
contains a transfer control flag Seating whether or no, tire sender should be authenticated 
by the secure convocation service, and when the transfer control flag contained » the 
personalized access ticket indicates that the sender should be au.hentioa.ed, the secure 
communication serv.ee device au.hentica.es the sender's identification presented by the 
sender and refuses a delivery of the ema.1 when an authentication of the sender's 
identification fails. 

50 (Onginal) The system of claim 49, wherem the authentication of the sender's 
identification is realized by a challenge/response procedure between the sender and the 
secure communication service device. 

51. (Onginal) The system of claim 49, further comprising a trusted third party for 
setting the transfer control flag of the personalized access ticket. 
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52. (Original) The system of claim 40, wherein the sender's identification and the 
recipient's identification in the personalized access ticket are given by real email addresses of 
the sender and the recipient. 

53 (Original) The system of claim 40, further comprising: 

a certification authority device for issuing an anonymous identification of each user which 
contains at least one fragment of an official identification of each user by which each user is 
uniquely identifiable by the certification authority device; 

wherein the sender's identification and the recipient's identification in the personalized 
access ticket are given by anonymous identifications of the sender and the recipient. 

54 (Original) The system of claim 53, wherein the anonymous identification of each 
user is an information containing the at least one fragment of the official identification of 
each user which is signed by the certification authority device using a secret key of the 
certification authority device. 

55 (Original) The system of claim 53, wherein the official identification of each user 
is a character string uniquely assigned to each user by the certification authority device and a 
public key of each user which are signed by a secret key of the certification authonty device. 

56. (Original) The system of claim 53, wherein the secure communication service 
device probabilistically identifies an identity of the sender by reconstructing the official 
identification of the sender while judging identity of a plurality of anonymous identifications 
of the sender contained in a plurality of personalized access tickets used by the sender. 

57. (Original) The system of claim 40, further comprising: 

a certification authority device for issuing an anonymous identification of each user which 
contains at least one fragment of an official identification of each user by which each user is 
uniquely identifiable by the certification authority device and a link information of each 
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anonymous identification by which each anonymous identification can be uniquely 
identified; 

wherein the sender's identification and the recipient's identification in the personalized 
access ticket are given by a link information of the anonymous identification of the sender 
and a link information of the anonymous identification of the recipient. 

58. (Original) The system of claim 57, wherein the link information of each 
anonymous identification is an identifier uniquely assigned to each anonymous identification 
by the certification authority device. 

59. (Original) The system of claim 57, wherein the secure communication service 
device probabilistically identifies an identity of the sender by reconstructing the official 
identification of the sender while judging identity of a plurality of anonymous identifications 
of the sender corresponding to the link information contained in a plurality of personalized 
access tickets used by the sender. 

60. (Original) The system of claim 40, wherein the personalized access ticket contains 
a single sender's identification and a single recipient's identification in 1-to-l 
correspondence. 

61 . (Original) The system of claim 40, wherein the personalized access ticket contains 
a single sender's identification and a plurality of recipient's identifications in 1-to-N 
correspondence, where N is an integer greater than 1. 

62. (Original) The system of claim 6 1 , wherein one identification among the single 
sender's identification and the plurality of recipient's identifications is a holder identification 
for identifying a holder of the personalized access ticket while other identifications among 
the single sender's identification and the plurality of recipient's identifications are member 
identifications for identifying members of a group to which the holder belongs. 
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63. (Original) 


The system of claim 62, further comprising: 


a certification authority device for issuing to each user an identification of each user and 
an enabler of the identification of each user indicating a right to change the personalized 
access ticket containing the identification of each user as the holder identification; and 

a secure processing device at which prescribed processing on the personalized access 
ticket can be carried out only by a user who presented both the holder identification 
contained in the personalized access ticket and the enabler corresponding to the holder 
identification to the secure processing device. 

64. (Original) The system of claim 63, wherein the certification authority device 
issues the enabler of the identification of each user as an information indicating that it is the 
enabler and the identification of each user itself which are signed by a secret key of the 
certification authority device. 

65. (Original) The system of claim 63, wherein the prescribed processing includes a 
generation of a new personalized access ticket, a merging of a plurality of personalized 
access tickets, a splitting of one personalized access ticket into a plurality of personalized 
access tickets, a changing of the holder of the personalized access ticket, changing of a 
validity period of the personalized access ticket, and a changing of a transfer control flag of 
the personalized access ticket. 

66. (Original) The system of claim 65, wherein a special identification and a special 
enabler corresponding to the special identification which are known to all users are defined 
such that the generation of a new personalized access ticket and the changing of the holder of 
the personalized access ticket can be carried out by the holder of the personalized access 
ticket by using the special identification and the special enabler without using an enabler of a 
member identification. 


ATLLIB02 153382.1 


Application No. 09/277? 
First Response 
Page 16 of 33 


67. (Original) The system of claim 66, wherein the special identification is defined to 
be capable of being used only as the holder identification of the personalized access ticket. 

68. (Original) The system of claim 65, wherein a special identification which is 
known to all users is defined such that a read only attribute can be set to the personalized 
access ticket by using the special identification. 

69. (Original) The system of claim 40, wherein when the access right of the sender 
with respect to the recipient is verified according to the personalized access ticket, the secure 
communication service device takes out the recipient's identification from the personalized 
access ticket by using the sender's identification presented by the sender, converts the mail 
by using a taken out recipient's identification into a format that can be interpreted by a mail 
transfer function for actually carrying out a mail delivery processing, and gives the mail after 
conversion to the mail transfer function by attaching the personalized access ticket. 

70. (Currently amended) A communication system realizing email access control, 
comprising: 

a certification authority device for defining an official identification of each user by which 
each user is uniquely identifiable by the certification authority device, and an anonymous 
identification of each user which contains at least one fragment of the official identification 
such that each user cannot be personally identified by the anonymous identification ; and 

a communication network on which each user is identified by the anonymous 
identification of each user in communications for emails on the communication network. 

71 . (Original) The system of claim 70, wherein the anonymous identification of each 
user is an information containing the at least one fragment of the official identification of 
each user which is signed by the certification authority device using a secret key of the 
certification authority device. 
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72. (Original) 


The system of claim 70, wherein the official identification of each user 


is a character string uniquely assigned to each user by the certification authority device and a 
public key of each user which are signed by a secret key of the certification authority device. 


a secure communication service device for connecting communications between the 
sender and the receiver on the communication network, by receiving a personalized access 
ticket containing a sender's anonymous identification and a recipient's anonymous 
identification in correspondence, which is presented by a sender who wishes to send an email 
to a recipient so as to specify the recipient as an intended destination of the email, and 
controlling accesses between the sender and the recipient by verifying an access right of the 
sender with respect to the recipient according to the personalized access ticket. 

74. (Original) The system of claim 73, wherein the secure communication service 
device probabilistically identifies an identity of the sender by reconstructing the official 
identification of the sender while judging identity of a plurality of anonymous identifications 
of the sender contained in a plurality of personalized access tickets used by the sender. 

75. (Original) The system of claim 70, wherein the certification authority device also 
defines a link information of each anonymous identification by which each anonymous 
identification can be uniquely identified, and each anonymous identification also contains the 
link information of each anonymous identification. 

76. (Original) The system of claim 75, wherein the link information of each 
anonymous identification is an identifier uniquely assigned to each anonymous identification 
by the certification authority device. 

77. (Original) The system of claim 75, further comprising: 


73. (Original) 


The system of claim 70, further comprising: 
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a secure communication service device for connecting communications between the 
sender and the receiver on the communication network, by receiving a personalized access 
ticket containing a link information of a sender's anonymous identification and a link 
information of a recipient's anonymous identification in correspondence, which is presented 
by a sender who wishes to send an email to a recipient so as to specify the recipient as an 
intended destination of the email, and controlling accesses between the sender and the 
recipient by verifying an access right of the sender with respect to the recipient according to 
the personalized access ticket. 

78. (Original) The system of claim 77, wherein the secure communication service 
device probabilistically identifies an identity of the sender by reconstructing the official 
identification of the sender while judging identity of a plurality of link informations of 
anonymous identifications of the sender contained in a plurality of personalized access 
tickets used by the sender. 

79. (Currently amended) A secure communication service device for use in a 
communication system realizing email access control, comprising: 

a computer hardware; and 

a computer software for causing the computer hardware to connect communications 
between the sender and the receiver, by receiving a personalized access ticket containing a 
sender's identification and a recipient's identification in correspondence and indicating an 
access right , which is presented by a sender who wishes to send an email to a recipient so as 
to specify the recipient as an intended destination of the email, and controlling accesses 
between the sender and the recipient by verifying an the access right of the sender with 
respect to the recipient according to the personalized access ticket. 

80. (Original) The secure communication service device of claim 79, wherein the 
computer software causes the computer hardware to authenticate the personalized access 
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ticket presented by the sender, and refuse a delivery of the email when the personalized 
access ticket presented by the sender has been altered. 

8 1 . (Original) The secure communication service device of claim 80, wherein the 
personalized access ticket is signed by a secret key of a secure processing device which 
issued the personalized access ticket, and the computer software causes the computer 
hardware to authenticate the personalized access ticket by verifying a signature of the secure 
processing device in the personalized access ticket using a public key of the secure 
processing device. 

82. (Original) The secure communication service device of claim 79, wherein the 
computer software causes the computer hardware to also receive the sender's identification 
presented by the sender along with the personalized access ticket, check whether the sender's 
identification presented by the sender is contained in the personalized access ticket presented 
by the sender, and refuse a delivery of the email when the sender's identification presented 
by the sender is not contained in the personalized access ticket presented by the sender. 

83. (Original) The secure communication service device of claim 79, wherein the 
personalized access ticket also contains a validity period indicating a period for which the 
personalized access ticket is valid, and the computer software causes the computer hardware 
to check the validity period contained in the personalized access ticket presented by the 
sender and refuse a delivery of the email when the personalized access ticket presented by 
the sender contains the validity period that has already been expired. 

84. (Original) The secure communication service device of claim 79, wherein the 
computer software causes the computer hardware to register in advance the personalized 
access ticket containing an identification of a specific user from which a delivery of emails to 
a specific registrant is to be refused as the sender's identification and an identification of the 
specific registrant as the recipient's identification, at the secure communication service 
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device, and refuse a delivery of the email from the sender when the personalized access 
ticket presented by the sender is registered at the secure communication service device in 
advance. 

85. (Original) The secure communication service device of claim 84, wherein the 
computer software causes the computer hardware to delete the personalized access ticket 
registered at the secure communication service device upon request from the specific 
registrant who registered the personalized access ticket. 

86. (Original) The secure communication service device of claim 79, wherein the 
personalized access ticket also contains a transfer control flag indicating whether or not the 
sender should be authenticated by the secure communication service device, and when the 
transfer control flag contained in the personalized access ticket indicates that the sender 
should be authenticated, the computer software causes the computer hardware to authenticate 
the sender's identification presented by the sender and refuse a delivery of the email when an 
authentication of the sender's identification fails. 

87. (Original) The secure communication service device of claim 86, wherein the 
computer software causes the computer hardware to realize the authentication of the sender's 
identification by a challenge/response procedure between the sender and the secure 
communication service device. 

88. (Original) The secure communication service device of claim 79, wherein the 
sender's identification and the recipient's identification in the personalized access ticket are 
given by anonymous identifications of the sender and the recipient, where an anonymous 
identification of each user contains at least one fragment of an official identification of each 
user by which each user is uniquely identifiable by a certification authority, and the computer 
software also causes the computer hardware to probabilistically identify an identity of the 
sender by reconstructing the official identification of the sender by judging identity of a 
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plurality of anonymous identifications of the sender contained in a plurality of personalized 
access tickets used by the sender. 

89. (Original) The secure communication service device of claim 79, wherein an 
anonymous identification of each user that contains at least one fragment of an official 
identification of each user by which each user is uniquely identifiable by a certification 
authority and a link information of each anonymous identification by which each anonymous 
identification can be uniquely identified are defined, the sender's identification and the 
recipient's identification in the personalized access ticket are given by a link information of 
the anonymous identification of the sender and a link information of the anonymous 
identification of the recipient, and the computer software also causes the computer hardware 
to probabilistically identify an identity of the sender by reconstructing the official 
identification of the sender by judging identity of a plurality of anonymous identifications of 
the sender corresponding to the link information contained in a plurality of personalized 
access tickets used by the sender. 

90. (Original) The secure communication service device of claim 79, wherein when 
the access right of the sender with respect to the recipient is verified according to the 
personalized access ticket, the computer software causes the computer hardware to take out 
the recipient's identification from the personalized access ticket by using the sender's 
identification presented by the sender, convert the mail by using a taken out recipient's 
identification into a format that can be interpreted by a mail transfer function for actually 
carrying out a mail delivery processing, and give the mail after conversion to the mail 
transfer function by attaching the personalized access ticket. 

9 1 . (Currently amended) A secure processing device for use in a communication system 
realizing email access control, comprising: 

a computer hardware; and 
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a computer software for causing the computer hardware to receive a request for a 
personalized access ticket from a user, and issue a personalized access ticket containing a 
sender's identification and a recipient's identification in correspondence and indicating an 
access right , which is signed by a secret key of the secure processing device. 

92. (Currently amended) A directory service device for use in a communication system 
realizing email access control, comprising: 

a computer hardware; and 

a computer software for causing the computer hardware to manage an identification of 
each registrant and a disclosed information of each registrant which has a lower secrecy than 
a personal information, in a state which is accessible for search by unspecified many, and 
issue a personalized access ticket containing a sender's identification and a recipient's 
identification in correspondence and indicating an access right , to the sender in response to 
search conditions specified by the sender, by using an identification of a registrant whose 
disclosed information matches the search conditions as the recipient's identification and the 
sender's identification specified by the sender along with the search conditions. 

93. (Currently amended) A certification authority device for use in a communication 
system realizing email access control, comprising: 

a computer hardware; and 

a computer software for causing the computer hardware to issue to each user an official 
identification of each user by which each user is uniquely identifiable by the certification 
authority device, and an anonymous identification of each user which contains at least one 
fragment of the official identification such that each user cannot be personally identified by 
the anonymous identification . 

94. (Currently amended) A certification authority device for use in a communication 
system realizing email access control, comprising: 

a computer hardware; and 
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a computer software for causing the computer hardware to issue to each user an 
identification of each user and an enabler of the identification of each user indicating a right 
to change any personalized access ticket that contains the identification of each user as a 
holder identification, where the penalized access ticket generally contains a sender's 
identification and a plurality of recipient's identifications in correspondence andjndicat^an 

- CCeSSrig ht ' md 0ne of the sender ' s identification and the recipient's identifications is a 
holder identification. 


95. (Currently amended) A secure processing device for use in a communication system 
realizing email access control, comprising: 
a computer hardware; and 

a computer software for causing the computer hardware to receive from a user a request 
for prescribed processing on a personalized access ticket containing a sender's identification 
and a plurality of recipient's identifications in correspondence and indicating m^^Kt 
where one of the sender's identification and the recipient's identifications is a holder 
identification, and execute the prescribed processing on the personalized access ticket when 
the user presented both the holder identification contained in the personalized access ticket 
and an enabler corresponding to the holder identification which indicates a right to change 
the personalized access ticket containing the identification of the user as the holder 
identification. 

96. (Currently amended) A computer usable medium having computer readable program 
code means embodied therein for causing a computer to function as a secure communication 
service device for use in a communication system realizing email access control, the 
computer readable program code means includes: 

first computer readable program code means for causing said computer to receive a 
personalized access ticket containing a sender's identification and a recipient's identification 
in correspondence and indicating an access rirtt, which is presented by a sender who wishes 


ATLLrB02 153382.1 


Application No. 09/277? 
First Response 
Page 24 of 33 


to send an email to a recipient so as to specify the recipient as an intended destination of the 
email; and 

second computer readable program code means for causing said computer to control 
accesses between the sender and the recipient by verifying m the access right of the sender 
with respect to the recipient according to the personalized access ticket, so as to connect 
communications between the sender and the receiver on the communication network. 

97. (Original) The computer usable medium of claim 96, the second computer 
readable program code means causes said computer to authenticate the personalized access 
ticket presented by the sender, and refuse a delivery of the email when the personalized 
access ticket presented by the sender has been altered. 

98. (Original) The computer usable medium of claim 97, wherein the personalized 
access ticket is signed by a secret key of a secure processing device which issued the 
personalized access ticket, and the second computer readable program code means causes 
said computer to authenticate the personalized access ticket by verifying a signature of the 
secure processing device in the personalized access ticket using a public key of the secure 
processing device. 

99. (Original) The computer usable medium of claim 96, wherein the first computer 
readable program code means causes said computer to also receive the sender's identification 
presented by the sender along with the personalized access ticket, and the second computer 
readable program code means causes said computer to check whether the sender's 
identification presented by the sender is contained in the personalized access ticket presented 
by the sender and refuse a delivery of the email when the sender's identification presented by 
the sender is not contained in the personalized access ticket presented by the sender. 

100. (Original) The computer usable medium of claim 96, wherein the personalized 
access ticket also contains a validity period indicating a period for which the personalized 
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access ticket is valid, and the second computer readable program code means causes said 
computer to check the validity period contained in the personalized access ticket presented 
by the sender and refuse a delivery of the email when the personalized access ticket 
presented by the sender contains the validity period that has already been expired. 

101. (Original) The computer usable medium of claim 96, wherein the second 
computer readable program code means causes said computer to register in advance the 
personalized access ticket containing an identification of a specific user from which a 
delivery of emails to a specific registrant is to be refused as the sender's identification and an 
identification of the specific registrant as the recipient's identification, at the secure 
communication service device, and refuse a delivery of the email from the sender when the 
personalized access ticket presented by the sender is registered at the secure communication 
service device in advance. 

1 02. (Original) The computer usable medium of claim 101, wherein the second 
computer readable program code means causes said computer to delete the personalized 
access ticket registered at the secure communication service device upon request from the 
specific registrant who registered the personalized access ticket. 

103. (Original) The computer usable medium of claim 96, wherein the personalized 
access ticket also contains a transfer control flag indicating whether or not the sender should 
be authenticated by the secure communication service device, and when the transfer control 
flag contained in the personalized access ticket indicates that the sender should be 
authenticated, the second computer readable program code means causes said computer to 
authenticate the sender's identification presented by the sender and refuse a delivery of the 
email when an authentication of the sender's identification fails. 

104. (Original) The computer usable medium of claim 103, wherein the second 
computer readable program code means causes said computer to realize the authentication of 
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the sender's identification by a challenge/response procedure between the sender and the 
secure communication service device. 

1 05 . (Original) The computer usable medium of claim 96, wherein the sender's 
identification and the recipient's identification in the personalized access ticket are given by 
anonymous identifications of the sender and the recipient, where an anonymous 
identification of each user contains at least one fragment of an official identification of each 
user by which each user is uniquely identifiable by a certification authority, and the second 
computer readable program code means also causes said computer to probabilistically 
identify an identity of the sender by reconstructing the official identification of the sender by 
judging identity of a plurality of anonymous identifications of the sender contained in a 
plurality of personalized access tickets used by the sender. 

106. (Original) The computer usable medium of claim 96, wherein an anonymous 
identification of each user that contains at least one fragment of an official identification of 
each user by which each user is uniquely identifiable by a certification authority and a link 
information of each anonymous identification by which each anonymous identification can 
be uniquely identified are defined, the sender's identification and the recipient's identification 
in the personalized access ticket are given by a link information of the anonymous 
identification of the sender and a link information of the anonymous identification of the 
recipient, and the second computer readable program code means also causes said computer 
to probabilistically identify an identity of the sender by reconstructing the official 
identification of the sender by judging identity of a plurality of anonymous identifications of 
the sender corresponding to the link information contained in a plurality of personalized 
access tickets used by the sender. 

107. (Original) The computer usable medium of claim 96, wherein when the access 
right of the sender with respect to the recipient is verified according to the personalized 
access ticket, the second computer readable program code means causes said computer to 
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take out the recipient's identification from the personalized access ticket by using the sender's 
identification presented by the sender, convert the mail by using a taken out recipient's 
identification into a format that can be interpreted by a mail transfer function for actually 
carrying out a mail delivery processing, and give the mail after conversion to the mail 
transfer function by attaching the personalized access ticket. 

108. (Currently amended) A computer usable medium having computer readable program 
code means embodied therein for causing a computer to function as a secure processing 
device for use in a communication system realizing email access control, the computer 
readable program code means includes: 

first computer readable program code means for causing said computer to receive a 
request for a personalized access ticket from a user; and 

second computer readable program code means for causing said computer to issue the 
personalized access ticket containing a sender's identification and a recipient's identification 
in correspondence and indicating an access right , which is signed by a secret key of the 
secure processing device. 

109. (Currently amended) A computer usable medium having computer readable program 
code means embodied therein for causing a computer to function as a directory service 
d e vic e r device for use in a communication system realizing email access control, the 
computer readable program code means includes: 

first computer readable program code means for causing said computer to manage an 
identification of each registrant and a disclosed information of each registrant which has a 
lower secrecy than a personal information, in a state which is accessible for search by 
unspecified many, and 

second computer readable program code means for causing said computer to issue a 
personalized access ticket containing a sender's identification and a recipient's identification 
in correspondence and indicating an access right , to the sender in response to search 
conditions specified by the sender, by using an identification of a registrant whose disclosed 
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information matches the search conditions as the recipient's identification and the sender's 
identification specified by the sender along with the search conditions. 

1 10. (Currently amended) A computer usable medium having computer readable program 
code means embodied therein for causing a computer to function as a certification authority 
device for use in a communication system realizing email access control, the computer 
readable program code means includes: 

first computer readable program code means for causing said computer to issue to each 
user an official identification of each user by which each user is uniquely identifiable by the 
certification authority device; and 

second computer readable program code means for causing said computer to issue to each 
user an anonymous identification of each user which contains at least one fragment of the 
official identification such that each user cannot be personally identified by the anonymous 
identification . 

111. (Currently amended) A computer usable medium having computer readable program 
code means embodied therein for causing a computer to function as a certification authority 
device for use in a communication system realizing email access control, the computer 
readable program code means includes: 

first computer readable program code means for causing said computer to issue to each 
user an identification of each user; and 

second computer readable program code means for causing said computer to issue to each 
user an enabler of the identification of each user indicating a right to change any 
personalized access ticket that contains the identification of each user as a holder 
identification, where the persnalized access ticket generally contains a sender's identification 
and a plurality of recipient's identifications in correspondence and indicates an access right 
and one of the sender's identification and the recipient's identifications is a holder 
identification. 
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1 12. (Currently amended) A computer usable medium having computer readable program 
code means embodied therein for causing a computer to function as a secure processing 
device for use in a communication system realizing email access control, the computer 
readable program code means includes: 

first computer readable program code means for causing said computer to receive from a 
user a request for prescribed processing on a personalized access ticket containing a sender's 
identification and a plurality of recipient's identifications in correspondence and indicating an 
access right , where one of the sender's identification and the recipient's identifications is a 
holder identification; and 

second computer readable program code means for causing said computer to execute the 
prescribed processing on the personalized access ticket when the user presented both the 
holder identification contained in the personalized access ticket and an enabler corresponding 
to the holder identification which indicates a right to change the personalized access ticket 
containing the identification of the user as the holder identification. 
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